My OpenVPN config had grown into a thing I was afraid to touch. Three certificate files, a TLS auth key, a list of pushed routes I no longer trusted, and a connection that would drop the moment my phone switched from wifi to mobile and sulk for thirty seconds before reconnecting. It worked, mostly, in the way that load-bearing duct tape works.
WireGuard is the whole config on one screen. A private key, a public key, an allowed-IPs line, an endpoint. That is it. No daemon mythology, no cipher negotiation to get wrong, just a key pair and a list of which addresses go down the tunnel.
[Interface]
PrivateKey = <redacted>
Address = 10.7.0.2/32
[Peer]
PublicKey = <server key>
Endpoint = vpn.i0.pm:51820
AllowedIPs = 10.0.0.0/8
PersistentKeepalive = 25
The thing that actually sold me is roaming. Because WireGuard is stateless on the wire, switching networks just works. My phone moves from the house to the train and the tunnel does not notice, no reconnect, no thirty-second sulk. The first time I watched an SSH session survive a wifi-to-4G handover I genuinely grinned at my phone.
It has been a few months now and I have stopped thinking about my VPN, which is the highest praise I can give any piece of infrastructure.